?
Solved

AD DNS - I can ping some ip's but not others

Posted on 2008-10-15
22
Medium Priority
?
977 Views
Last Modified: 2012-05-05
I have a AD forrest with 1 Domain and 7 Subdomains.
I'm using AD integrated DNS
One of my subdomains has 2 sites
I created a OU within the subdomain that houses all of the 2nd sites servers, users etc.
I can ping servers and workstations to all domains from the 2nd site, except for a few. I don't know what's stopping me from pinging our "internet filter" from this site. I can ping something within the same IP range, like 192.168.xx.11, but not 192.168.xx.12...

0
Comment
Question by:bernardb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 10
22 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22724786

You can't ping by IP address?

Or is it Name Resolution that's at fault? That is, if you run "nslookup <host>" does it reply?

Can you connect to other services on the server? Anything running as TCP can be tested with telnet <servername> <port>. For example, we can test a connection to an SMTP server with "telnet server 25", or a web server with "telnet server 80". In most cases a successful connection is shown by a blank screen, anything but an error message is good :)

Chris
0
 

Author Comment

by:bernardb
ID: 22724833
Also, from all other domains, when I ping the filter I get the following
filter.domain.com

when I ping from the problem site, I get

filter.subdomain.domain.com

it should be filter.domain.com
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22724884

Does filter exist as a record in DNS in subdomain? Or does a wildcard exist (*)? Or is WINS forwarding enabled for subdomain?

I take it you get the wrong IP back in subdomain?

Chris
0
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

 

Author Comment

by:bernardb
ID: 22724923
I can't ping 192.168.xx.50 from this specific site, but I can from all other domains and sites.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22724972

Then the problem isn't DNS, it's network level. Something is blocking ICMP, you need to check any Firewalls between the client and the server, and any firewalls running on the server.

Chris
0
 

Author Comment

by:bernardb
ID: 22725175
Could the following entries block ICMP?

access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 192.168.xx.10 eq 8080
access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 192.168.xx.10 range 8888 8889
access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 206.90.xx.245 eq 8080
access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 206.90.xx.245 range 8888 8889

it's the only entries that are associated with the problem site

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22725221

No, but they don't permit it either :)

Chris
0
 

Author Comment

by:bernardb
ID: 22725255
I may have missed the following I can ping and get the following from the other sites
ping 192.168.xx.50
I get good replies and it shows up as "filter.domain.com"

when I ping from the problem site, I get
ping filter.subdomain.domain.com
I get request time outs and it shows up as "filter.subdomain.com"

it should be filter.domain.com

Make sense? Hope I'm explaining fully
0
 

Author Comment

by:bernardb
ID: 22725301
Only one firewall...a PIX with the entries shown. No firewalls on the servers or clients...

access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 192.168.xx.10 eq 8080
access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 192.168.xx.10 range 8888 8889
access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 206.90.xx.245 eq 8080
access-list acl_inside permit tcp 192.168.xx.0 255.255.255.0 host 206.90.xx.245 range 8888 8889
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22725316

But is the IP address returned from filter.subdomain.domain.com correct or not?

Take name resolution out and concentrate on the network layer if it is, if it's not we need to know why subdomain is giving a response for "filter".

Chris
0
 

Author Comment

by:bernardb
ID: 22725347
Yes, the IP address returned from filter.subdomain.domain.com is the correct IP.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22725432

Okay, good :) I did want to be sure about that.

Can you telnet to port 8080 on the server? That will tell us if IP flows properly, if routing is correct.

Chris
0
 

Author Comment

by:bernardb
ID: 22725630
Telnet appears to fail with connection refused from all domains...I tried command line and Putty.

telnet 192.168.xx.50 8080 - connection refused, no matter what site or domain i'm trying it from

Putty, same thing...

But I can ping from the other domains and can't from this site....but telnet fails on all of them
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22725683

Then TCP isn't flowing either. Tracert <ip> and see if the path looks correct?

If you have a number of firewalls inbetween the sites check the routing, check NAT and check the rule-set.

Chris
0
 

Author Comment

by:bernardb
ID: 22726139
The trace fails to this IP but not to the other. Only one firewall device...and the only connection to
10.203.xxx.50- it goes out my gateway to the service provider and then
U:\>tracert 10.203.xxx.50

Tracing route to iprism.xxxxxxx.org [10.203.xxx.50]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  192.168.xxx.1
  2    20 ms    18 ms    34 ms  h-67-100-228-74.nycmny83.covad.net [67.100.xxx.
4]
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Trace complete.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
The other trace to a server at the same location as the above appliance goes through fine.

U:\>tracert 10.203.xxx.45

Tracing route to chcsfp01.xxxxxx.org [10.203.xxx.45]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  192.168.xxx.1
  2    18 ms    19 ms    18 ms  h-67-100-228-74.nycmny83.covad.net [67.100.xxx.7
4]
  3    20 ms    19 ms    19 ms  chcsfp01.xxxxxxx.org [10.203.xxx.45]

Trace complete.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22729599

Well it's going to the same gateway, can we check on h-67-100-228-74.nycmny83.covad.net?

Chris
0
 

Author Comment

by:bernardb
ID: 22741578
Covad says they will check, but it doesn't look like them...the Covad Tech couldn't specify, but he thinks it's a DNS issue He said  because I get a successful ping and trace to a server in the same subnet and location....I stumped at the moment
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22741790

But if the IP returned is the same, or you can't ping / trace when only using IP then DNS is completely out of the window. As soon as you get the IP back DNS is finished.

Chris
0
 

Author Comment

by:bernardb
ID: 22744213
So sorry for the delayed response...
So you say because it shows "Pinging iprism.xxxxxx.xxxxxx.org [10.203.xxx.50] with 32 bytes of data:"...it eliminates DNS?


U:\>ping iprism

Pinging iprism.xxxxxx.xxxxxx.org [10.203.xxx.50] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.203.xxx.50:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 22744255

If the IP is correct the DNS cannot be to blame because it's done it's job properly :)

That puts us back at troubleshooting the network level, because that shouldn't be remotely interested in the name used to access a resource.

Chris
0
 

Author Comment

by:bernardb
ID: 22745740
I will continue to troubleshoot...and keep you updated. Thanks for you help and if you can think of anything at the network level to check, I will.

Thanks again
0
 

Author Closing Comment

by:bernardb
ID: 31508941
Thank you for all of your help...The problem was my fault. The device was a internet filter located at another site. When filled out the network section, I left out a number.....I slowly went over each setting and noticed it...My apologies.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how a domain name may be inadvertently appended to all DNS queries. This exhibits as described below. (CODE)And / Or: (CODE) Cause This issue can occur in either of these two scenarios. EITHER 1. A Primary DNS S…
There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question